Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 41 replies
  • Subscribers 3 subscribers
  • Views 17275 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HIgh loads on Astaro

William Warren
pfilter-reporte is chewing up 100% of cpu for long periods of time resulting in system loads hovering between 1-4. Even as root in console this process won't go away.


This thread was automatically locked due to age.
Parents
  • 0
    William,
    are you using any of the p2p monitoring/helpers? I have a feeling, but I can't prove it that they go a little wild every so often. My ASG runs with some sort of load (above normal) for a couple of days, then 90-100% cpu and talks to nothing and nothing is logged.

    Makes it very hard to report problems in this forum and ask for help.

    Ian M
  • 0 in reply to RFCat_vk_01
    I have exactly the same problem with pfilter-reporte which is chewing the 80%-99% of my CPU capacity. I have disabled P2P rules but no improvement.
  • 0 in reply to William Warren
    How does your IPS Portscan configuration look like?

    The portscandetection works like that:

    For every source ip that traverses the network in keeps track of which ports have been tried to open. 
    If a certain source ip tries to connect to many different destination ports and between two port attemps is less time than 300ms than a counter is incremented. If the counter reaches a certain threshold, than the assumption is that this ip is currently doing a portscan.

    The system triggers alert/drop if somebody tries to open more than 4 different ports per second for at least 6 seconds, than the ip is marked as portscanner.

    now Skype is a pretty agressive application, which easily tries to establish that many connections per second.

    Do you have "limited logging" enabled?
    If not, please do so, as it will lower the amount of log lines generated.

    hope that helps regards
    Gert
  • 0 in reply to Gert Hansen
    al ips functions are off.  I have zero packet filter logging. I have portscan detection off, anti flood off, anti ddos off..etc.  anything that uses ips functions is off.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren
    it turns out it's part of a DOS vulnerability with the pfilter script:

    http://www.hescominsoon.com/archives/773

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to andreas
    pfilter-reporter is still evil on 7.006.

    Our ASG220 was originally completely bridged and had no problems. Yesterday I moved it to a NAT style arrangement and pfilter-reporter chews 20-50% CPU.

    This is pretty sad as it kills the performance of the unit.
  • 0 in reply to James Bourne
    Coz of the bad rules update yesterday I did a fresh install of ver 7.006 from ISO.
    (No up2dates)

    CPU usage is now 2-10% whereas before it was around 70-100%..

    Great improvement, you may wish to try.. (Hint, backup first!)
  • 0 in reply to Simon Shaw
    Coz of the bad rules update yesterday I did a fresh install of ver 7.006 from ISO.
    (No up2dates)

    CPU usage is now 2-10% whereas before it was around 70-100%..

    Great improvement, you may wish to try.. (Hint, backup first!)

    if that shows progress simon that's what i'll do..[[:)]]  I'll give the fresh install a go at things..[[:)]]

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren
    Good luck William.  Certainly made a difference here.  Mine had been gradually up2dated, maybe something broke during that period.
    Its peaked at around 17% since reinstall.

    Check CPU graph:
    http://www.micromine.com/cpuusage_daily.png

    Dunno if it will work for you but I'm well pleased!

    (System running IPS, Web Proxy, SMTP proxy etc, 6 site to site VPNs, 100 clients)
  • 0 in reply to Simon Shaw
    I have just reloaded w/7.006 and updated to 007.  let's see what happens now..

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren
    Well i just hit the box with a BT session AND a portscan at the same time..so far pfilter is behaving.  Nice job for fixing this Astaro.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren
    this is also nice because i can now run the IPS for attacks against my internet facing servers behind the astaro machine..

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

Reply Children
  • 0 in reply to William Warren
    Before I attempt to reload my ASG,  what are the implications I'm going to be faced with?  I know a full backup is in order.  Did you reload and restore settings with a backup or did you manually reenter them?

    Thank you!

    EDIT:  How does one reload the ASG?  I just realized there is no CDROM on the unit.  Or am I going to need to RMA this for a working 7.006 box?
  • 0 in reply to Paul.Carpenter
    If you have an ASG appliance, contact your reseller.  They can provide you with a special CD (you can't use the ISO image that's available on the download.astaro.com site) that you can use to reload it.  You will need an USB CDROM Drive... just plug the drive into a USB port, put the CD in, and power it all up... it will automatically reload the whole system, with a message on the LCD when it's done, or if you are running a 120 / 110, it will just do the shutdown beeps when it is done.  It will take 15 to 40 minutes depending on the appliance.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    Thanks for the reply.  I'll get in contact with the reseller!